Kafa Sabar FTP mai aminci ta amfani da SSL/TLS akan Ubuntu

A cikin wannan koyawa, za mu bayyana yadda ake amintaccen sabar FTP (VSFTPD tana nufin \Very Secure FTP Daemon) ta amfani da SSL/TLS a cikin Ubuntu 16.04/16.10.

Idan kuna neman saita amintaccen uwar garken FTP don rarraba tushen CentOS, zaku iya karantawa - Tsare Sabar FTP ta Amfani da SSL/TLS akan CentOS

Bayan bin matakai daban-daban a cikin wannan jagorar, za mu koyi tushen ba da damar ayyukan ɓoyewa a cikin sabar FTP don amintaccen canja wurin bayanai yana da mahimmanci.

  1. Dole ne ku Shiga kuma ku Sanya Sabar FTP a cikin Ubuntu

Kafin mu ci gaba, tabbatar da cewa duk umarni a cikin wannan labarin za a gudanar da su azaman tushen gata ko sudo asusun gata.

Mataki 1: Samar da Takaddun SSL/TLS don FTP akan Ubuntu

1. Za mu fara da ƙirƙirar subdirectory a ƙarƙashin: /etc/ssl/ don adana takardar shaidar SSL/TLS da manyan fayiloli idan babu:

$ sudo mkdir /etc/ssl/private

2. Yanzu bari mu samar da takaddun shaida da maɓalli a cikin fayil guda ɗaya, ta hanyar aiwatar da umarnin da ke ƙasa.

$ sudo openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048

Umurnin da ke sama zai sa ku amsa tambayoyin da ke ƙasa, kar ku manta da shigar da ƙimar da ta dace da yanayin ku.

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Lower Parel
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint.com
Organizational Unit Name (eg, section) []:Linux and Open Source
Common Name (eg, your name or your server's hostname) []:tecmint
Email Address []:[email 

Mataki 2: Sanya VSFTPD don Amfani da SSL/TLS akan Ubuntu

3. Kafin mu aiwatar da kowane saitin VSFTPD, ga waɗanda ke da kunna wuta ta UFW, dole ne ku buɗe tashoshin jiragen ruwa 990 da 40000-50000 don ba da damar haɗin TLS da kewayon tashar tashar jiragen ruwa masu wucewa don saitawa a cikin fayil ɗin sanyi na VSFTPD bi da bi:

$ sudo ufw allow 990/tcp
$ sudo ufw allow 40000:50000/tcp
$ sudo ufw status

4. Yanzu, buɗe fayil ɗin daidaitawa na VSFTPD kuma ayyana bayanan SSL a ciki:

$ sudo vi /etc/vsftpd/vsftpd.conf
OR
$ sudo nano /etc/vsftpd/vsftpd.conf

Sannan, ƙara ko gano zaɓin ssl_enable kuma saita ƙimarta zuwa YES don kunna amfani da SSL, kuma, saboda TLS ya fi SSL tsaro, za mu ƙuntata VSFTPD don amfani da TLS maimakon, ta hanyar kunna ssl_tlsv1 zaɓi:

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

5. Na gaba, yi sharhin layin da ke ƙasa ta amfani da haruffa # kamar haka:

#rsa_cert_file=/etc/ssl/private/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Bayan haka, ƙara layin da ke ƙasa don ayyana wurin takardar shaidar SSL da babban fayil ɗin:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

6. Yanzu, kuma dole ne mu hana masu amfani da ba a san su ba daga yin amfani da SSL, sannan tilasta duk masu shiga da ba a san su ba don amfani da amintacciyar hanyar SSL don canja wurin bayanai da aika kalmar wucewa yayin shiga:

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

7. Bugu da ƙari, za mu iya amfani da zaɓuɓɓukan da ke ƙasa don ƙara ƙarin fasalulluka na tsaro a cikin uwar garken FTP. Tare da zaɓi require_ssl_reuse=YES, ana buƙatar duk haɗin bayanan SSL don nuna sake amfani da zaman zaman SSL; yana tabbatar da cewa sun san sirrin maigida ɗaya kamar tashar sarrafawa. Don haka, ya kamata mu kashe shi.

require_ssl_reuse=NO

Bugu da kari, za mu iya saita abin da SSL ciphers VSFTPD zai ba da izini don rufaffen haɗin yanar gizo na SSL tare da zaɓin ssl_ciphers. Wannan zai taimaka ɓata duk wani yunƙuri na maharan da suka yi ƙoƙarin tilasta takamaiman takamaiman abin da suka iya gano lahani a cikin:

ssl_ciphers=HIGH

8. Sa'an nan, bari mu ayyana kewayon tashar jiragen ruwa (min da max tashar jiragen ruwa) na m mashigai.

pasv_min_port=40000
pasv_max_port=50000

9. Don kunna kuskuren SSL, ma'ana ana yin rikodin binciken gano haɗin haɗin SSL zuwa fayil ɗin log ɗin VSFTPD, za mu iya amfani da zaɓin debug_ssl:

debug_ssl=YES

A ƙarshe ajiye fayil ɗin kuma rufe shi. Sannan sake kunna sabis na VSFTPD:

$ systemctl restart vsftpd

Mataki 3: Tabbatar da FTP tare da Haɗin SSL/TLS akan Ubuntu

10. Bayan yin duk saitunan da ke sama, gwada idan VSFTPD yanzu yana amfani da haɗin SSL/TLS ta ƙoƙarin amfani da FTP daga layin umarni kamar yadda ke ƙasa.

Daga fitowar da ke ƙasa, akwai saƙon kuskure yana gaya mana VSFTPD zai iya ba masu amfani damar kawai (wanda ba a sani ba) su shiga daga amintattun abokan ciniki waɗanda ke goyan bayan ayyukan ɓoyewa.

$ ftp 192.168.56.10
Connected to 192.168.56.10  (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : ravi
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp>

Layin umarni baya goyan bayan ayyukan ɓoyewa don haka yana haifar da kuskuren da ke sama. Don haka, don haɗa amintaccen haɗi zuwa sabar FTP tare da kunna ayyukan ɓoyewa, muna buƙatar abokin ciniki na FTP wanda ke goyan bayan haɗin SSL/TLS ta tsohuwa, kamar FileZilla.

Mataki 4: Shigar FileZilla Akan Abokan Hulɗa don Haɗa FTP Amin

FileZilla mai ƙarfi ne, abokin ciniki na FTP da ake amfani da shi sosai wanda ke goyan bayan FTP akan SSL/TLS da ƙari. Don shigar da FileZilla akan injin abokin ciniki na Linux, yi amfani da umarni mai zuwa.

--------- On Debian/Ubuntu ---------
$ sudo apt-get install filezilla   

--------- On CentOS/RHEL/Fedora --------- 
# yum install epel-release filezilla

--------- On Fedora 22+ --------- 
$ sudo dnf install filezilla

12. Da zarar an gama shigarwa, buɗe shi kuma je zuwa File=>Sites Manager ko (latsa Ctrl+S) don samun wurin Manajan Yanar Gizon a ƙasa.

13. Yanzu, ayyana sunan mai watsa shiri/rukunin yanar gizon, ƙara adireshin IP, ayyana ƙa'idar don amfani, ɓoyewa da nau'in tambarin kamar yadda yake cikin hoton allo da ke ƙasa (amfani da ƙimar da ta shafi yanayin ku):

Danna Maɓallin Sabon Gidan Yanar Gizo don saita sabon haɗin yanar gizo/mai masaukin baki.

Host:  192.168.56.10
Protocol:  FTP – File Transfer Protocol
Encryption:  Require explicit FTP over   #recommended 
Logon Type: Ask for password	        #recommended 
User: username

14. Sannan danna Connect daga mahaɗin da ke sama don shigar da kalmar wucewa, sannan tabbatar da takaddun shaidar da ake amfani da shi don haɗin SSL/TLS, sannan danna Ok sau ɗaya don haɗawa zuwa uwar garken FTP:

15. Yanzu, yakamata ku shiga cikin nasara cikin sabar FTP akan haɗin TLS, duba sashin yanayin haɗin don ƙarin bayani daga mahaɗan da ke ƙasa.

16. A ƙarshe, bari mu canja wurin fayiloli daga na'ura na gida zuwa uwar garken FTP a cikin babban fayil ɗin fayiloli, duba ƙananan ƙarshen Fayil na FileZilla don duba rahotanni game da canja wurin fayil.

Shi ke nan! Koyaushe ku tuna cewa shigar da uwar garken FTP ba tare da kunna ayyukan ɓoyewa yana da wasu abubuwan tsaro ba. Kamar yadda muka bayyana a cikin wannan koyawa, zaku iya saita sabar FTP don amfani da haɗin SSL/TLS don aiwatar da tsaro a cikin Ubuntu 16.04/16.10.

Idan kun fuskanci kowace matsala wajen kafa SSL/TLS akan uwar garken FTP, yi amfani da fam ɗin sharhin da ke ƙasa don raba matsalolinku ko tunaninku game da wannan koyawa/batun.